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METHODS AND APPARATUS FOR 
OPERATING A SYSTEM 

Background of Invention 

[0001 ] This invention relates generally to apparatus and methods for operating a system 
and more particularly to apparatus and methods for operating a nuclear reactor. 

[0002] A typical boiling water reactor (BWR) includes a pressure vessel containing a 

nuclear fuel core immersed in circulating coolant water that removes heat from the 
nuclear fuel. The water is boiled to generate steam for driving a steam turbine- 
generator for generating electric power. The steam is then condensed and the water is 
returned to the pressure vessel in a closed loop system. A plurality of piping circuits 
carry steam to the turbines and carry recirculated water or feed water back to the 
pressure vessel that contains the nuclear fuel. 

[0003] The BWR includes several conventional closed-loop control systems that control 
various individual operations of the BWR in response to demands. For example, a 
control rod drive control system (CRDCS) controls the position of the control rods 
within the reactor core controling the rod density within the core which determines 
the reactivity of the core, which in turn determines the output power of the reactor 
core. A recirculation flow control system (RFCS) controls core flow rate, which changes 
the steam/water relationship in the core and can be used to change the output power 
of the reactor core. These two control systems work in conjunction with each other to 
control, at any given point in time, the output power of the reactor core. A turbine 
control system (TCS) controls steam flow from the BWR to the turbine based on 
pressure regulation or load demand. 

[0004] The operation 0 f these systems, as well as other BWR control systems, is 

controlled utilizing various monitoring parameters of the BWR. Some monitoring 
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parameters include core flow and flow rate affected by the RFCS, reactor system 
pressure, which is the pressure of the steam discharged from the pressure vessel to 
the turbine that can be measured at the reactor dome or at the inlet to the turbine, 
neutron flux or core power, feed water temperature and flow rate, steam flow rate 
provided to the turbine and various status indications of the BWR systems. Many 
monitoring parameters are measured directly, while others, such as core thermal 
power, are calculated using measured parameters. Outputs from the sensors and 
calculated parameters are input to an emergency protection system to assure safe 
shutdown of the plant, isolating the reactor from the outside environment if 
necessary, and preventing the reactor core from overheating during any emergency 
event. 

[0005] An essential requirement of a nuclear reactor protection system is that it must not 
^ fail when needed. Therefore, unless the operator promptly and properly identifies the 

|ij cause of an abnormal transient event in the operation of the reactor, and promptly 

£j effects remedial or mitigating action, conventional nuclear reactor protection systems 

ff 1 will automatically effect reactor trip. However, it is also essential that reactor trip be 

avoided when it is not desired or necessary, i.e., when there is an error in the 

instrumentation or when the malfunction is small enough that reactor trip is 
tf! unnecessary or when one shutdown function fails, the reactor protection system must 

rT not perform the next shutdown function if to do so would be unsafe. Also, at least 

some known reactors include emergency cooling systems which monitor operation of 

the reactor. 

[0006] In the event of an unsafe condition, a shut-down system or a safe operation 

system can automatically effect remedial action such as changing the reactor valve 
alignment from a normal operating mode to an emergency operating mode thereby 
preventing an unsafe or potentially unsafe condition. After the unsafe condition has 
been resolved, systems are returned to a standby mode and an operator is required to 
manually align the reactor for other system modes. Operator alignment may result in 
alignment errors and produce undesirable results. Further, the use of checklists to 
facilitate system alignment may require two operators to realign the system to a 
second operating mode. 
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Summary of Invention 

In one aspect, a method for operating a system having a plurality of modes and 
interlocks between the modes is provided. The method includes operating the system 
in a first mode and switching the system to a second mode without going to a standby 
mode. 

In another aspect, a method for operating a system having a plurality of modes 
and interlocks between the modes is provided. The method includes operating the 
system in a first mode, manually changing the system while operating in the first 
mode, and re-initializing the system in the first mode without going to a standby 
mode. 

In a further aspect, a system having a plurality of modes and interlocks between 
the modes is provided. The system includes a computer and a fail safe initiation logic 
program installed on the computer. The fail safe initiation logic circuit is configured to 
operate the system in a first mode and switch the system to a second mode without 
going to a standby mode. 

In a still further aspect, a computer readable medium encoded with a program 
executable by a computer for operating a system having a plurality of modes and 
interlocks between the modes is provided. The program is configured to instruct the 
computer to operate the system in a first mode and switch the system to a second 
mode without going to a standby mode. 

Brief Description of Drawings 

[001 1] Figure 1 is an illustration of an exemplary power plant system. 

[001 2] Figure 2 is a flow chart of a method for operating the system illustrated in Figure 
1. 

[001 3] Figure 3 is a logic diagram of a fail-safe initiation logic instruction set for 
operating the system illustrated in Figure 1 . 

Detailed Description 

[0014] 

There is herein provided a formal methodology for implementation of a fail-safe 
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initiation logic instruction set for a power generating system, it is contemplated that 
the benefits of the present invention accrue to all implementations of power plant 
safety systems and implementations in non-safety related applications for systems 
other than power generating systems. 

[001 5] Figure 1 is an illustration of an exemplary power plant system 2 which includes a 
generating system 4 and a computer 6. As used herein, the term computer is not 
limited to just those integrated circuits referred to in the art as computers, but 
broadly refers to computers, processors, microcontrollers, microcomputers, 
application specific integrated circuits, and other programmable circuits. In one 
embodiment, computer 6 includes a device 8 for reading and writing onto a 
removable media 9. For example, device 8 is a floppy disk drive, a CD-R/W drive, or a 
DVD drive. Correspondingly, media 9 is either a floppy disk, a compact disk, or a DVD. 
Device 8 and media 9 are used in one embodiment to input machine readable 
instructions that are processed by computer 6. 

[0016] In one embodiment, generating system 4 includes a boiling water nuclear reactor 
1 0 which contains a reactor core 1 2. Water 1 4 is boiled using the thermal power of 
reactor core 1 2, passing through a water-steam phase 1 6 to become steam 1 8. Steam 
1 8 flows through piping in a steam flow path 20 to a turbine flow control valve 22 
which controls the amount of steam 1 8 entering steam turbine 24. Steam 1 8 is used 
to drive turbine 24 which in turn drives electric generator 26 creating electric power. 
Steam 1 8 flows to a condenser 28 where it is converted back to water 1 4. Water 1 4 is 
pumped by feedwater pump 30 through piping in a feedwater path 32 back to reactor 
10. System 4 also includes an emergency core cooling system (ECCS) (not shown) 
which includes at least one of a residual heat removal (RHR) system, a reactor core 
isolation cooling (RCIC) system, and a high pressure core flooder (HPCF) system. 

[0017] 

Figure 2 is a flow chart of one embodiment of a method 50 for operating system 4 
(shown in Figure 1) that has a plurality of modes and interlocks between the modes. 
Method 50 includes operating 52 system 4 in a first mode and switching 54 system 4 
to a second mode without going to a standby mode using a fail safe initiation logic 
instruction set 100. In one embodiment, the plurality of modes include modes such 
as, but not limited to, a residual heat removal mode, a reactor core isolation cooling 
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mode, and a high pressure core flooder mode. 

[001 8] Figure 3 is a schematic illustration of an exemplary embodiment of a fail-safe 

initiation logic instruction set 100, installed on computer 6 (shown in Figure 1) for use 
with system 4. In an exemplary embodiment, fail-safe initiation logic instruction set 
1 00 is a computer readable medium installed on computer 6 to instruct computer 6 to 
perform the embodiments described herein. 

[0019] In one embodiment, fail-safe initiation logic instruction set 100 includes a first 
logic mode 102 and a second logic mode 104. Alternatively, logic instruction set 100 
includes more than two logic modes to align system 4 in a plurality of different 
configurations as selected by the operator. 

[0020] First logic mode 1 02 includes a first mode arm switch 11 0, a first mode initiate 

3 

fl switch 11 2, a plurality of logic functions, such as, but not limited to, an OR gate 1 20, 

2 an OR gate 1 22, an OR gate 1 24, an AND gate 1 26, an AND gate 1 28, and an AND 

J gate 1 30. First logic mode 1 02 also includes a pulse output timer 1 40, a pulse output 

2 timer 1 42, a pulse output timer 1 44, a pulse output timer 1 46, a delay initiation timer 

0 1 50, and a flip-flop 160. 

II [0021] Second logic mode 104 includes a second mode arm switch 210, a second mode 
^ initiate switch 21 2, a plurality of logic functions, such as, but not limited to, an OR 

5 gate 220, an OR gate 222, an OR gate 224, an AND gate 226, an AND gate 228, and 

an AND gate 230. First logic mode 1 04 also includes a pulse output timer 240, a pulse 
output timer 242, a pulse output timer 244, a pulse output timer 246, a delay 
initiation timer 250, and a flip-flop 260. 

[0022] In one embodiment, flip-flops 1 60 and 260 are set-override reset (SO, R) flip- 
flops which allows the set function to override the reset function allowing one 
permitted mode to drop out from another mode. Pulse output timers 140, 240, 142, 
242, 144, and 244 allow a down stream system logic to proceed for a pre-determined 
time and will reinitiate when permissive logic is removed from an upstream side. When 
permissive logic is received, delay initiation timers 1 50 and 250 will delay downstream 
permissive logic by a pre-determined time, and will reset when the input signal is 
removed. 
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[0023] By way of illustration only, and not by way of limitation, only two logic modes are 
illustrated in Figure 3. In use, an operator selects a desired operational mode to 
change system 4 current configuration to a pre-determined configuration, such as, 
but not limited to a Mode One, a Mode Two, and a standby mode. As used herein, 
mode describes a pre-determined system 4 configuration of such typical system 
components, including, but not limited to, valves, dampers, motors, and pumps. 
Standby mode is a term of art in the nuclear field describing plant configurations 
wherein no power is being generated by a reactor and standby mode refers to an 
alignment of any system to be dispatched to an operational mode. In other words, 
standby mode refers to a safe alignment. Interlocking modes describe a plurality of 
pre-determined system 4 configurations of such typical system components, 
including, but not limited to, valves, dampers, motors, wherein at least one of the 
p system components in system 4 may be used in a plurality of different system 

5? configurations, i.e. the components are connected in such a way that a movement or 

m change in one component causes movement or change in another. 

ifl [0024] 

m In one embodiment, system 4 is configured in Mode Two and switching 52 system 

f 4 to another mode, such as Mode One, without going to a standby mode includes 

fl| initializing first mode arm switch 1 1 0 to generate an output which is input to pulse 

l f% output timer 1 40. In one embodiment, timer 1 40 is a ten-second timer which delays 

CI timer 1 40 output signal to AND gate 1 28. Pulse output timer 1 40 allows a logic 

instruction set 1 00 to generate an error message, such as, but not limited to, 
Initiation not allowed in Not Permitted Mode. For approximately ten seconds, pulse 
output timer 1 40 output signal is input to AND gate 1 28, In one embodiment, if 
system 4 is in Mode Two, a Mode Two initiated signal is input to OR gate 1 20 and OR 
gate 1 22. OR gate 1 20 output is then input to AND gate 1 26. OR gate 1 22 output is 
input to OR gate 1 24 which is then input to flip-flop 1 60 for reset. First logic mode 
102 also determines whether the pre-determined permissives have been met. If the 
pre-determined permissives for the Mode One have been met, then a signal is input to 
AND gate 1 26 and ANDED with OR gate 1 20 output. Alternatively, if the pre- 
determined permissives for Mode One have not been met then no signal is input to 
AND gate 1 26. AND gate 1 26 output and timer 1 40 output are input to AND gate 1 28 
which is then output to AND gate 1 30. When first mode initiate switch 11 2 is 
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initialized, first mode initiate switch 1 1 2 output and AND gate 1 28 output are ANDED" 
by AND gate 1 30 which is then output to pulse output timer 1 42 and pulse output 
timer 144. 

[0025] In one embodiment, pulse output timer 1 42, pulse output timer 1 44, and delay 

initiation timer 1 50 allow the mode to be reset. Additionally, timer 1 44, in conjunction 
with flip-flop 160, allow multiple mode resets, i.e. timer 144 holds flip-flop 160 in 
the set-override position until other modes, i.e. mode 2 initiate signal input from OR 
gate 1 24, are reset which drops out the reset command to the selected mode, i.e. 
Mode 1. In use, timer 142 is only required if the mode is allowed to re-initialize itself 
and pulse output timer 1 44 will hold an initiation signal for delay initiation timer 1 50. 
Pulse output timer 1 42 will drop out after a pre-determined time for test. In one 
embodiment, pulse output timer 1 44 includes a delay time which is greater than pulse 
output timer 1 42 delay time. Flip-flop 1 60 output is then used to actuate at least one 
pre-determined system 4 component from a first position or state to a second 
position or state. Pulse output timer 1 50 then drops out to allow the operator to 
either re-initialize Mode 1 or switch to another mode such as Mode 2 without going to 
a standby mode. 

[0026] If system 4 is configured in Mode One and the operator has manually realigned a 
component in system 4, Mode One can be re-initialized, in this case, pulse output 
timer 1 42 output is input to OR gate 1 24 which is input to flip-flop 1 60. Pulse output 
timer 144 holds the initiation signal for delay initiation timer 1 50 allowing pulse 
output timer 142 output to reset flip-flop 160 and allows re-initializing Mode One. 

[0027] 

In another embodiment, system 4 is configured in Mode One and switching 52 
system 4 to another mode, such as Mode Two, without going to a standby mode 
includes initializing second mode arm switch 210 which is input to pulse output timer 
240. In one embodiment, pulse output timer 240 is a ten-second timer which delays 
dropping out the output signal. Pulse output timer 240 delay allows a logic instruction 
set 1 00 to generate an error message, such as, but not limited to, Initiation not 
allowed in Not Permitted Mode. For approximately ten seconds, pulse output timer 
240 output signal is input to AND gate 228. In one embodiment, if system 4 is in 
Mode One, a Mode One initiated signal is input to OR gate 220 and OR gate 222. OR 
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gate 220 output is then input to AND gate 226. OR gate 222 output is input to OR 
gate 224 which is then input to flip-flop 260 for reset. Second logic mode 1 04 also 
determines whether the pre-determined permissives have been met. If the pre- 
determined permissives for the Mode Two have been met, then a signal is input to 
AND gate 226 and ANDED with OR gate 220 output. Alternatively, if the pre- 
determined permissives for Mode Two have not been met then no signal is input to 
AND gate 226. AND gate 226 output and timer 240 output are input to AND gate 228 
which is then output to AND gate 230. When second mode initiate switch 21 2 is 
initialized, second mode initiate switch 212 output and AND gate 228 output are 
ANDED" by AND gate 230 which is then output to pulse output timer 242 and pulse 
output timer 244. 

In one embodiment, pulse output timer 242, pulse output timer 244, and delay 
initiation timer 250 allow the mode to be reset. Additionally, timer 244, in conjunction 
with flip-flop 260, allow multiple mode resets, i.e. timer 244 holds flip-flop 260 in 
the set-override position until other modes, i.e. Mode One initiate signal input from 
OR gate 224, are reset which drops out the reset command to the selected mode, i.e. 
Mode Two. In use, timer 242 is only required if the mode is allowed to re-initialize 
itself, in which case pulse output timer 244 will hold an initiation signal for delay 
initiation timer 250. Pulse output timer 242 will drop out after a pre-determined time 
for reset. In one embodiment, pulse output timer 244 includes a delay time which is 
greater than pulse output timer 242 delay time. Flip-flop 260 output is then used to 
actuate at least one pre-determined system 4 component from a first position or state 
to a second position or state. Delay initiation timer 250 then allows either re-initialize 
Mode Two or switch to another mode such as Mode One without going to a standby 
mode. 

[0029] Additionally, if system 4 is configured in Mode Two and the operator has manually 
changed a system 4 component, Mode Two can be re-initialized. In this case, pulse 
output timer 242 output is input to OR gate 224 which is input to flip-flop 260 reset. 
Pulse output timer 244 holds the initiation signal for delay initiation timer 250 
allowing pulse output timer 242 output to initialize flip-flop 260 and allow re- 
initializing Mode Two. 
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[0030] 



While the invention has been described in terms of various specific embodiments, 
those skilled in the art will recognize that the invention can be practiced with 
modification within the spirit and scope of the claims. 
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